Turns out that one of my favorite sites (Reddit) stored plain text
passwords on a database. The reddit
database recently was stolen, and now whoever stole it has
all the passwords to reddit. The rationale for this was:

Personally, I prefer the convenience of being having my
passwords emailed to me when I forget, which happens from time
to time since I use difference passwords everywhere.

Not hashing was a design decision we made in the beginning,
and it didn't stem from irresponsibility-- it stemmed from a
decision to provide functionality that I liked.

It bit us in the ass this time, and we are truly sorry for
it. The irresponsibility (and there is some) was allowing our
data to get nabbed.

So the convenience of emailing a password when you forget
it is what caused the developers to keep the passwords in the
open.

Now, I do not particularly care if my reddit password is
stolen. I have a policy of using a different password for
every site that wants me to create an account with them. I
use wildly different passwords for each site that I register
with, so I manage to limit my exposure by limiting the damage
to that particular site.

But many of my friends use combinations of "the same
password everywhere" (specially the non-technical), "the
password with the site name" (slightly more technical), "three
tiers of passwords: weak, normal and high-security".

Everyone in those groups is vulnerable to have their
password cracked open on other sites. Not good.

But the second realization that I had is that this
practice is incredibly common. In the last month I have
probably requested to "recover my password" from six or seven
sites and at least two of them sent me back my original
password. I remember thinkin "Oh, that is handy, am glad I
did not have to go through a reset password process". Only
now I realize that these sites are basically exposing my
password to the world. This is not a phenomenon limited to
reddit, it is incredibly common.

Server folks also need to use stronger encryption
mechanisms. As Jeff points out on his Rainbow
Hash Cracking

You should use a differnet password for each site that you
visit. Even if you knew the site you visit will not store the
password in plain text (and there is no way of finding out)
these days tools to crack passwords take advantage of
available memory and disk space to crack stuff rapidly. See
Jeff Artwood's Rainbow
Hash Cracking post where he installs Ophcrack (open
source software, available for most platforms) and cracks most
"strong" passwords in a matter of minutes.

For dealing with one-password-per-site I keep a GPG
encrypted file and use a script that Gonzalo wrote. Maybe its
too simple, but it works (source is here).

Windows has a couple of tools that can keep your passwords
encrypted. It would be nice if someone wrote a nice UI for
this for Unix. The gnome-keyring is a step in the right
direction, but the UI (gnome-keyring-manager) is not really
designed for end users to use. It is more of a front-end to
the password backend for the desktop.

We need to make this kind of tool pervasive on all of the
desktop systems (and Mozilla remembering passwords is not
enough to be practical).

Update: Jensen Somers in the comments points us to
Revelation a
tool for the Gnome desktop that does this.